Lenovo has released a fix for a flaw for fingerprint reader software on older ThinkPad, ThinkCentre and ThinkStation machines.
The flaw in Lenovo's Fingerprint Manager Pro enabled attackers to log into devices running Windows 7, 8 and 8.1, and let anyone log into your PC with a hardcoded password, skipping the fingerprint reader altogether. Both would require physical access to your PC.
"A vulnerability has been identified in Lenovo Fingerprint Manager Pro," Lenovo wrote on its support page. "Sensitive data stored by Lenovo Fingerprint Manager Pro, including users' Windows logon credentials and fingerprint data, is encrypted using a weak algorithm, contains a hard-coded password, and is accessible to all users with local non-administrative access to the system it is installed in."
Machines that have been updated to, or shipped with, Windows 10 are not affected. Those machines use Microsoft's own fingerprint-reading software.
Lenovo has already patched the issue, and you can download the fix here.
Those with the following systems should download the patch, especially if they use Fingerprint Manager Pro, as soon as possible if they are not running Windows 10.
- ThinkPad L560
- ThinkPad P40 Yoga, P50s
- ThinkPad T440, T440p, T440s, T450, T450s, T460, T540p, T550, T560
- ThinkPad W540, W541, W550s
- ThinkPad X1 Carbon (Type 20A7, 20A8), X1 Carbon (Type 20BS, 20BT)
- ThinkPad X240, X240s, X250, X260
- ThinkPad Yoga 14 (20FY), Yoga 460
- ThinkCentre M73, M73z, M78, M79, M83, M93, M93p, M93z
- ThinkStation E32, P300, P500, P700, P900